Recent releases of AIX installation media
(for 7.1 and 6.1) now contain the OpenSSH base installation filesets. This is
very handy; we no longer need to download or locate the software from other
sources.

One thing to consider is what this means
for future AIX migrations.

If you are migrating a system (that already
has a version of SSH installed) to AIX 7.1 then you may notice that the first
time you attempt to connect to the server (after the 7.1 migration) the
following ssh message appears:

root@nim1
: / # ssh aixlpar1

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@WARNING: REMOTE HOST IDENTIFICATION HAS
CHANGED!@

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT
IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone
could be eavesdropping on you right now (man-in-the-middle attack)!

It
is also possible that a host key has just been changed.

The
fingerprint for the RSA key sent by the remote host is

59:68:05:71:60:b5:d1:96:87:df:f6:9c:ca:9a:14:3e.

Please
contact your system administrator.

Add
correct host key in /.ssh/known_hosts to get rid of this message.

Offending
RSA key in /.ssh/known_hosts:17

RSA
host key for aixlpar1 has changed and you have requested strict checking.

Host key
verification failed.

In the
output above I’m attempting to SSH from another system to the newly migrated
AIX 7.1 LPAR. This is essentially informing us that the SSH host keys on the
AIX 7.1 server don’t match the host key stored in the local systems
/.ssh/known_hosts file. Something has changed.

Now of
course I could simply accept this change and update my known_hosts files, like
so:

root@nim1
: / # ssh-keygen -R aixlpar1

/.ssh/known_hosts
updated.

Original
contents retained as /.ssh/known_hosts.old

With
known_hosts updated, I’m able to SSH to the AIX 7.1 system successfully.

cgibson@nim1
: /home/cgibson $ ssh aixlpar1 date

Mon
Aug 20 19:44:20 EET 2012

But that’s
just for my SSH known_hosts file only. What about all the users that connect to
this system via SSH/SFTP/SCP? Do I really expect all of them to update their
known_hosts file with the new host key information?

This could
create problems for automated tasks, like file transfers. If these transfers
stop working then their could be “hell to pay”. So the question I’m often asked
is what can I do to prevent this from happening in the first place? Luckily
there is a way.

In this
example, we are using nimadm to migrate from AIX 5.3 to 7.1. The
AIX 7.1 lpp_source resource was created using the AIX 7.1 installation media
DVDs. All filesets were copied from the DVDs, verbatim, to the new 7.1
lpp_source resource on the NIM master.

First we
verify that the openssh* filesets are in fact in the AIX 7.1 lpp_source on the
NIM master.

root@nim1
: / # nim -o showres lpp_sourceaix710101 | grep -i ssh

openssh.base.client5.4.0.6100IN usr,root

openssh.base.client5.8.0.6101IN usr,root

openssh.base.server5.4.0.6100IN usr,root

openssh.base.server5.8.0.6101IN usr,root

openssh.man.en_US5.4.0.6100IN usr

openssh.man.en_US5.8.0.6101IN usr

openssh.msg.EN_US5.8.0.6101IN usr

openssh.msg.en_US5.4.0.6100IN usr

openssh.msg.en_US5.8.0.6101IN usr

On the NIM
client (running AIX 5.3), we verify there is an older version of SSH already
installed. The migration will remove these filesets (and the associated
/etc/ssh_host_* files). The newer version of SSH will be installed and new
ssh_host_key* files will be generated (hence the problem with the remote SSH
clients known_hosts files no longer holding the correct host keys).

Rather than
update these filesets manually after the migration, you can include this step
as a post migration task with nimadm.

An
alternative way to work around this problem (after the fact) would be to
restore the original ssh_host_key* files from a backup.For example, I copied the original
ssh_host_key* files to my home directory before starting the AIX migration.

aixlpar1
: / # cd /etc

aixlpar1
: /etc # cp -pr ssh /home/cgibson/ssh_orig/

In the
output below, I discover that my ssh_host_key* files have all been recreated
during the migration.

aixlpar1
: /etc/ssh # ls -ltr

total
352

-rw-r--r--1 rootsystem1288 May 01
2007ssh_config

-rw-r--r--1 rootsystem1155 May 04
2007sshd_banner

-rw-r--r--1 rootsystem2867 Oct 29
2008sshd_config

-rw-r-----1 rootsystem7 Aug 20 21:00
sshd.pid

-rw-r--r--1 rootsystem2341 Aug 20 21:19
ssh_prng_cmds

-rw-------1 rootsystem132839 Aug 20 21:19
moduli

-rw-r-----1 rootsystem382 Aug 20 21:45
ssh_host_rsa_key.pub

-rw-------1 rootsystem1679 Aug 20 21:45
ssh_host_rsa_key

-rw-r-----1 rootsystem630 Aug 20 21:45
ssh_host_key.pub

-rw-------1 rootsystem965 Aug 20 21:45
ssh_host_key

-rw-r-----1 rootsystem590 Aug 20 21:45
ssh_host_dsa_key.pub

-rw-------1 rootsystem668 Aug 20 21:45
ssh_host_dsa_key

I copy the
original files back to the /etc/ssh directory. The sshd subsystem is also
restarted to pick up the updated ssh_host* files.

aixlpar1
: /etc/ssh # cp -p /home/cgibson/ssh_orig/ssh_host_* .

aixlpar1
: /etc/ssh # ls -ltr

total
352

-rw-r--r--1 rootsystem210 Feb 03
2006ssh_host_rsa_key.pub

-rw-------1 rootsystem887 Feb 03 2006ssh_host_rsa_key

-rw-r--r--1 rootsystem319 Feb 03
2006ssh_host_key.pub

-rw-------1 rootsystem515 Feb 03
2006ssh_host_key

-rw-r--r--1 rootsystem590 Feb 03
2006ssh_host_dsa_key.pub

-rw-------1 rootsystem668 Feb 03
2006ssh_host_dsa_key

-rw-r--r--1 rootsystem1288 May 01
2007ssh_config

-rw-r--r--1 rootsystem1155 May 04
2007sshd_banner

-rw-r--r--1 rootsystem2867 Oct 29 2008sshd_config

-rw-r-----1 rootsystem7 Aug 20 21:00
sshd.pid

-rw-r--r--1 rootsystem2341 Aug 20 21:19
ssh_prng_cmds

-rw-------1 rootsystem132839 Aug 20 21:19
moduli

aixlpar1
: /etc/ssh # stopsrc -s sshd

0513-044
The sshd Subsystem was requested to stop.

aixlpar1
: /etc/ssh # startsrc -s sshd

0513-059
The sshd Subsystem has been started. Subsystem PID is 3997822.